Vidar

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This upgraded version of Arkei stealer has been terrorizing the internet since 2018.

Type
Trojan
Origin
ex-USSR
First seen
1 December, 2018
Last seen
27 January, 2023
Also known as
Arkei
Global rank
13
Week rank
6
Month rank
7
IOCs
50186

What is Vidar / Arkei malware?

Vidar is an information stealer trojan that was first identified in December 2018. It is either a fork of Arkei or the result of its evolution. Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems, take screenshots, steal cryptocurrency, and more.

General description of Vidar malware

Vidar is presumed to have originated in a Russian-speaking country since the malware is configured to stop execution if it detects that it is being run on a machine that is located in one of the ex-USSR nations or on one that has a Russian keyboard layout.

Being another cyber threat that is available for purchase based on the MaaS ( Malware-as-a-Service ) business model, Vidar can be purchased on its “official” website for a hefty price tag of $700, at least for the PRO version. Though, a stripped-down version of the malware can be obtained for just $250.

According to the Vidar trojan analysis, malware is written in the C++ programming language. Purchasing account grants the attacker access to a control panel where the cybercriminal can set up the malware to target particular information on the victims’ PC. Like Arkei, cybercriminals need to take precautions to secure the main payload themselves, using crypto or a packer. The control panel displays the current builder version, user settings, malware status, and logs. It should be noted that Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days. Though they are steadily changing, a constant response is required.

Arkei is capable of stealing text files in multiple formats, browser cookies and history, browser records, including data from TOR, as well as autofill value information, including banking and credit card details. Based on the Vidar analysis, the malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software.

What’s more, Vidar is also known to be able to steal digital coins from offline wallets. In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by the malware.

After collecting all targeted information, the malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Vidar analysis

A video recorded in ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of Vidar and perform Vidar analysis by themselves.

arkei execution process tree

Figure 1: A visual process graph generated by ANY.RUN

text report of the arkei malware analysis

Figure 2: The customizable text report provided by ANY.RUN is a perfect tool to share the results of an analysis

Vidar execution process

According to the Vidar analysis, after the user downloads and runs a malicious file, it spawns a child process and collects information from the infected system. Often, after the information was collected, the malware kills and deletes itself from the system through a command-line command.

How to avoid infection by Vidar malware?

When spread via spam email campaigns like NanoCore or Agent Tesla, the Vidar stealer requires the user to download and run a malicious file to enter an active state and begin execution. Therefore, following some basic cybersecurity rules can ensure that users will stay safe from Arkei malware and the incident response team will work effectively.

As such, users should be careful when downloading attachments in emails from unknown senders. The best practice is to avoid downloading such files altogether, therefore not putting oneself in danger at all.

In addition, downloading only licensed software from trustworthy sources and avoiding gaming hacking clients greatly reduced the risk of being infected with malware such as Vidar trojan, which uses these attack vectors to infect victims.

The distribution process of Vidar

According to the Vidar trojan analysis, Arkei is distributed through spam email campaigns as a malicious attachment, like other malware. In addition, cases of Vidar being distributed using shady software and gaming hack clients have also been recorded. Vidar infostealer targets users all over the world, except some ex-USSR countries, including Russia.

How to detect Vidar using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Arkei trojan using ANY.RUN's "Static Discovering" during your Vidar analysis. Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the file.

arkei vidar log file Figure 3: Arkei's log file

Conclusion

Vidar / Arkei is a hazardous information stealer trojan, distributed as malware as a service. Thanks to its extensive stealer feature set, Vidar trojan can be used to retrieve a wide variety of information, including stealing select cryptocurrency coins from the users. Additionally, Vidar is capable of stealing data from TOR.

Thankfully, malware hunting services like ANY.RUN allows researchers to conduct extensive studies of malware samples in a secure environment, allowing them to spread information about the danger and develop effective countermeasures and incident response.

IOCs

IP addresses
162.241.225.237
5.79.66.145
104.21.45.70
193.29.187.162
104.18.5.149
45.151.144.128
18.205.93.2
141.8.194.149
18.205.93.0
78.47.227.68
104.21.36.85
92.63.192.234
185.38.151.11
95.216.102.241
188.241.58.142
162.241.24.224
172.67.190.5
172.67.146.5
142.4.7.91
172.67.205.137
Hashes
b9246a7cb0efe77225d19ff1dc0c982a6649c9b96ab63446c80542f146929a1b
b6a654cadd98cb9ba6881193905c8923ac3b2904526e28c79827b6f62edfa322
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e
6f9d93eecb295baeb773c8726aee03d5f34cc0a30220467095cf8579cf96c773
162490faff9602b5fdad6aa9f94475dc7ffad2b9e5eae1d9e7ea894bfd590eea
90e7c78ca1612b6f6e0f2c25e00e4c73e9df86936a243a03a488a3b155334eea
8d3e88af492ec98160a63fe5694d10d918853b9648852754cb6f1c4693141d5b
b825b9cfd361a7ddb674351fe427f746a5994f6770d3bedff3bcf72b675b9add
4291753dae7f46064e83547ddbaa3dd5bbd350d1289ec94c9aa7e5adcb71e7f3
b33c7b7ec9b9d24687c50d8e914d57cb6f6f72b6776b8075b24c518c89f172b7
92ef1c4559871dd4b3741302675ea3095e6e9e699ad6b3868ffb4564c402b4a9
1c737de04f4943d7c917902adbfcb9ba3a4e2dc5dc2b49d37791c3a64fb4f0ea
feb309b8bacfbc4df001e9c015092fe7ed180c00b4d79767aa4eafda5bc15d16
1eda38c94d7896c350c73e5ac87cf2cd65e96ba7d03cddc7f1302c5d1b65ca88
cb22b33411f4ae8a6af069f25e750b18194b158e4170a6a676ae36de4f90830b
345a62badd4ef5ee36bedeca71b720b695828fa2faf203253172bf2f3f591e9c
40fe79a6997d8f169a5c16be5bb5c6c0b759ab302b70938a7d70a56db748e211
5fe7b2608a220dcfe293bb4277994da8e719d5dd4f73aba423d2b97329cc3df8
43a80ac218836ddd131f7377d0bef4fca5c3a1eb3fe05a63c69ce283dc32931e
ad1ad132f797904f3c28ee03171726fa380e4eabb0ce08b596807da7fefe64e2
Domains
basher.ezodn.com
gvl.ezodn.com
ezodn.com
cloudflare.hcaptcha.com
st.tubecorporate.com
chikiporn1.vanessadelriomovies.com
st.ipornia.com
pn.bquildna43.site
hosting.miarroba.info
extlinka.ru
fly-analytics.com
surl.li
vcctggqm3t.dattolocal.net
zefoy.com
booking.msg.bluhotels.com
booking.msg.bluhotels.com
0.pool.ntp.org
rgyui.top
carder.bit
zerit.top

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy